From owner-freebsd-questions@FreeBSD.ORG Sat Jan 23 12:18:06 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 210D1106566C for ; Sat, 23 Jan 2010 12:18:06 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from mail.locolomo.org (97.pool85-48-194.static.orange.es [85.48.194.97]) by mx1.freebsd.org (Postfix) with ESMTP id 831578FC12 for ; Sat, 23 Jan 2010 12:18:05 +0000 (UTC) Received: from beta.1-16-172-dyn.locolomo.org (unknown [172.16.1.127]) by mail.locolomo.org (Postfix) with ESMTPSA id 072E01C1A67; Sat, 23 Jan 2010 13:18:04 +0100 (CET) Message-ID: <4B5AE8FB.1030901@locolomo.org> Date: Sat, 23 Jan 2010 13:18:03 +0100 From: Erik Norgaard User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Doug Hardie References: <4B594FC0.3010200@el.net> <4B5973AD.8070603@locolomo.org> <772FAD6A-C534-4217-9AA7-274561879E86@lafn.org> <4B59887E.30301@locolomo.org> <4D14E7C8-DFFD-4580-8CD0-99BB3C4EB051@lafn.org> In-Reply-To: <4D14E7C8-DFFD-4580-8CD0-99BB3C4EB051@lafn.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-questions - Subject: Re: pf rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2010 12:18:06 -0000 Doug Hardie wrote: > This is quite interesting. I can't figure out the rules on my system. Maybe try to simplify, clean up and structure your rules :) > Here is the pf.conf file with all comments removed: > > table persist file "/etc/blackhole" > table persist > table persist > table persist file "/etc/mail/whitelist" > MAILHOSTS = "{zool.lafn.org}" > > no rdr on { lo0, lo1 } from any to any > no rdr inet proto tcp from to any port smtp > no rdr inet proto tcp from to any port smtp > rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd > pass in log inet proto tcp to $MAILHOSTS port smtp keep state > pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state > block in quick log on $ext_if from to any 1. pf allows short cuts, but these also makes it more difficult to debug. I'd separate NAT from filtering, that is never use "rdr pass" even though pf allows it. You also need to understand when rdr takes place to write your filtering rules. 2. you can deploy one of two policies: Default block with a whitelist or default pass with a black list. Mixing these is a bad idea. 3. $ext_if = dc0? 4. rdr needs an interface, I'm surprised that pf will parse the above, and have no idea what it does with it. pfctl -sn should show you the nat rules. 5. Organize your rules as scetched in last mail, grouping rules for each interface, it really helps locating where things go wrong. I have log statements and catch all rules to ensure that if these are triggered there is something in my ruleset I haven't taken into account. I avoid using "any" except in default rules. > Note: the blackhole file is empty as is the whitelist file. There is an entry for 216.54.240.150 in spamd database. This is a test system. > > Here is the output of tcpdump where I have only taken one entry for each rule. I have listed the rule number at the front of each line: > > Rule 0: 14:01:27.133320 rule 0/0(match): pass in on dc0: 216.54.240.150.55782 > 206.117.18.7.25: S 2501333595:2501333595(0) win 65535 > Rule 1: 02:26:44.755650 rule 1/0(match): pass in on sis0: 71.109.144.133.40864 > 192.168.25.7.75: S 3941268770:3941268770(0) win 65535 > Rule 2: 10:44:45.037918 rule 2/0(match): block in on dc0: 71.109.162.173.39529 > 206.117.18.7.75: . ack 145 win 65535 > Rule 4: 13:51:16.022700 rule 4/0(match): rdr in on dc0: 216.54.240.150.49821 > 127.0.0.1.8025: S 2371633783:2371633783(0) win 65535 > > I found no entries for rule 3. There is virtually no traffic on this system other than from me. > > As I look at pf.conf and tie the rules to the entries I get (rule number at beginning of line): > > no rdr on { lo0, lo1 } from any to any > no rdr inet proto tcp from to any port smtp > 0 - no rdr inet proto tcp from to any port smtp > 4 - rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd > pass in log inet proto tcp to $MAILHOSTS port smtp keep state > 1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state > block in quick log on $ext_if from to any > > I have no clue which one is rule 2. The only block is the last entry but that should never be used because the blackhole file is empty. pfctl shows the table is empty also. > > The ordering seems to make no sense either. I also note that the man page for pf.conf indicates in the BNF grammar for pf.conf that log is a valid entry for no rdr. However, that always generates a syntax error. Apparently there is no way to log the use of no rdr rules. see, things seems to have been swapped around somehow, that rule 4 rdr is really rule 0 again only now matches for the rdr action, in rule 0 it matches pass action. or so it appears. anyway, to interpret the output of pflog, you need the output from pfctl -sr and pfctl -sn rather than your config file. So, to solve your problem, separate first NAT and filtering. Things becomes so much more clear. Regards, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org